traefik + Keycloak + netbird - after Keycloak login I get "Request failed with status code 404 Error:"

[glanc]

Hello,

I am using traefik and Keycloak and already got portainer and other self hosted service working with sso. I have followed the advanced guide to configure and try netbird. When opening nb.mydomain.com I get the Keycloak user/password request and after I get a Request failed with status code 404 Error:. Tried several solution found but I am stuck there.

my docker-compose:

services:

UI dashboard

nb-dashboard: image: netbirdio/dashboard:latest container_name: nb-dashboard restart: unless-stopped security_opt:

• no-new-privileges:true environment:

  Endpoints

• NETBIRD_MGMT_API_ENDPOINT=https://nb.mydomain.com:443
• NETBIRD_MGMT_GRPC_API_ENDPOINT=https://nb.mydomain.com:443
• AUTH_AUDIENCE=netbird-client
• AUTH_CLIENT_ID=netbird-client
• AUTH_AUTHORITY=https://auth.mydomain.com/realms/netbird
• USE_AUTH0=false
• AUTH_SUPPORTED_SCOPES=openid profile email offline_access api
• NETBIRD_TOKEN_SOURCE=accessToken
• NGINX_SSL_PORT=443 networks:
• traefik-net labels:
• traefik.enable=true
• traefik.http.routers.netbird-dashboard.rule=Host(nb.mydomain.com)
• traefik.http.services.netbird-dashboard.loadbalancer.server.port=80
• traefik.http.routers.netbird-dashboard.entryPoints=websecure
• traefik.http.routers.netbird-dashboard.tls.certresolver=myresolver
• traefik.http.services.netbird-dashboard.loadbalancer.passHostHeader=true
• traefik.docker.network=traefik-net

  Signal

  nb-signal: image: netbirdio/signal:latest container_name: nb-signal restart: unless-stopped security_opt:

• no-new-privileges:true volumes:
• ./netbird-signal:/var/lib/netbird networks:
• traefik-net labels:
• traefik.enable=true
• traefik.http.routers.netbird-signal.rule=Host(nb.mydomain.com) && PathPrefix(/signalexchange.SignalExchange/)
• traefik.http.services.netbird-signal.loadbalancer.server.port=80
• traefik.http.services.netbird-signal.loadbalancer.server.scheme=h2c
• traefik.http.routers.netbird-signal.entryPoints=websecure
• traefik.http.routers.netbird-signal.service=netbird-signal
• traefik.http.services.netbird-signal.loadbalancer.passHostHeader=true
• traefik.docker.network=traefik-net

  Management

  nb-management: image: netbirdio/management:latest container_name: nb-management restart: unless-stopped security_opt:

• no-new-privileges:true depends_on:
• nb-dashboard volumes:
• ./netbird-mgmt:/var/lib/netbird
• ./management.json:/etc/netbird/management.json command: [ "--port", "443", "--log-file", "console", "--log-level", "debug", "--disable-anonymous-metrics=true", "--single-account-mode-domain=nb.mydomain.com", "--dns-domain=netbird.selfhosted", "--user-delete-from-idp" ] networks:
• traefik-net labels:
• traefik.enable=true
• traefik.http.routers.netbird-api.rule=Host(nb.mydomain.com) && PathPrefix(/api)
• traefik.http.routers.netbird-api.service=netbird-api
• traefik.http.services.netbird-api.loadbalancer.passHostHeader=true
• traefik.http.routers.netbird-api.entryPoints=websecure
• traefik.http.services.netbird-api.loadbalancer.server.port=443
• traefik.http.routers.netbird-management.rule=Host(nb.mydomain.com) && PathPrefix(/management.ManagementService/)
• traefik.http.routers.netbird-management.service=netbird-management
• traefik.http.routers.netbird-management.entryPoints=websecure
• traefik.http.services.netbird-management.loadbalancer.server.port=443
• traefik.http.services.netbird-management.loadbalancer.server.scheme=h2c
• traefik.http.services.netbird-management.loadbalancer.passHostHeader=true
• traefik.docker.network=traefik-net

  Coturn

  nb-coturn: image: coturn/coturn:latest restart: unless-stopped container_name: nb-coturn domainname: nb.mydomain.com volumes:

• ./turnserver.conf:/etc/turnserver.conf:ro network_mode: host command:
• -c /etc/turnserver.conf networks: traefik-net: external: true

my management.json

{ "Stuns": [ { "Proto": "udp", "URI": "stun:nb.mydomain.com:3478", "Username": "", "Password": "" } ], "TURNConfig": { "TimeBasedCredentials": false, "CredentialsTTL": "12h0m0s", "Secret": "secret", "Turns": [ { "Proto": "udp", "URI": "turn:nb.mydomain.com:3478", "Username": "self", "Password": “…..” } ] }, "Signal": { "Proto": "https", "URI": "nb.mydomain.com:443", "Username": "", "Password": "" }, "Datadir": "/var/lib/netbird/", "DataStoreEncryptionKey": "VtYUCt+DW9s1cDMy4i63RlnkzmcmIpT4Z1Vu+n+bvXA=", "HttpConfig": { "AuthAudience": "netbird-client", "AuthIssuer": "https://auth.mydomain.com/realms/netbird", "AuthUserIDClaim": "", "AuthKeysLocation": "https://auth.mydomain.com/realms/netbird/protocol/openid-connect/certs", "OIDCConfigEndpoint": "https://auth.mydomain.com/realms/netbird/.well-known/openid-configuration", "IdpSignKeyRefreshEnabled": true },

"IdpManagerConfig": {
    "ManagerType": "keycloak",
    "ClientConfig": {
        "Issuer": "https://auth.mydomain.com/realms/netbird",
        "TokenEndpoint": "https://auth.mydomain.com/realms/netbird/protocol/openid-connect/token",
        "ClientID": "netbird-backend",
        "ClientSecret": “——“,
        "GrantType": "client_credentials"
    },
    "ExtraConfig": {
        "AdminEndpoint": "https://auth.mydomain.com/admin/realms/netbird"
    },
    "Auth0ClientCredentials": null,
    "AzureClientCredentials": null,
    "KeycloakClientCredentials": null,
    "ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
    "Provider": "hosted",
    "ProviderConfig": {
        "ClientID": "netbird-client",
        "ClientSecret": "",
        "Domain": "auth.mydomain.com",
        "Audience": "netbird-client",
        "TokenEndpoint": "https://auth.mydomain.com/realms/netbird/protocol/openid-connect/token",
        "DeviceAuthEndpoint": "https://auth.mydomain.com/realms/netbird/protocol/openid-connect/auth/device",
        "AuthorizationEndpoint": "",
        "Scope": "openid",
        "UseIDToken": false,
        "RedirectURLs": null
    }
},
"PKCEAuthorizationFlow": {
    "ProviderConfig": {
        "ClientID": "netbird-client",
        "ClientSecret": "",
        "Domain": "",
        "Audience": "netbird-client",
        "TokenEndpoint": "https://auth.mydomain.com/realms/netbird/protocol/openid-connect/token",
        "DeviceAuthEndpoint": "",
        "AuthorizationEndpoint": "https://auth.mydomain.com/realms/netbird/protocol/openid-connect/auth",
        "Scope": "openid profile email offline_access api",
        "UseIDToken": false,
        "RedirectURLs": [
            "http://localhost:53000"
        ]
    }
},
"StoreConfig": {
    "Engine": "sqlite"
},
"ReverseProxy": {
    "TrustedHTTPProxies": [],
    "TrustedHTTPProxiesCount": 0,
    "TrustedPeers": [
        "0.0.0.0/0"
    ]
}

}

docker logs nb-management

2024-04-04T20:55:33Z INFO management/cmd/management.go:455: loading OIDC configuration from the provided IDP configuration endpoint https://auth.mydomain.com/realms/netbird/.well-known/openid-configuration 2024-04-04T20:55:33Z INFO management/cmd/management.go:460: loaded OIDC configuration from the provided IDP configuration endpoint: https://auth.mydomain.com/realms/netbird/.well-known/openid-configuration 2024-04-04T20:55:33Z INFO management/cmd/management.go:462: overriding HttpConfig.AuthIssuer with a new value https://auth.mydomain.com/realms/netbird, previously configured value: https://auth.mydomain.com/realms/netbird 2024-04-04T20:55:33Z INFO management/cmd/management.go:466: overriding HttpConfig.AuthKeysLocation (JWT certs) with a new value https://auth.mydomain.com/realms/netbird/protocol/openid-connect/certs, previously configured value: https://auth.mydomain.com/realms/netbird/protocol/openid-connect/certs 2024-04-04T20:55:33Z INFO management/cmd/management.go:471: overriding DeviceAuthorizationFlow.TokenEndpoint with a new value: https://auth.mydomain.com/realms/netbird/protocol/openid-connect/token, previously configured value: https://auth.mydomain.com/realms/netbird/protocol/openid-connect/token 2024-04-04T20:55:33Z INFO management/cmd/management.go:474: overriding DeviceAuthorizationFlow.DeviceAuthEndpoint with a new value: https://auth.mydomain.com/realms/netbird/protocol/openid-connect/auth/device, previously configured value: https://auth.mydomain.com/realms/netbird/protocol/openid-connect/auth/device 2024-04-04T20:55:33Z INFO management/cmd/management.go:482: overriding DeviceAuthorizationFlow.ProviderConfig.Domain with a new value: auth.mydomain.com, previously configured value: auth.mydomain.com 2024-04-04T20:55:33Z INFO management/cmd/management.go:492: overriding PKCEAuthorizationFlow.TokenEndpoint with a new value: https://auth.mydomain.com/realms/netbird/protocol/openid-connect/token, previously configured value: https://auth.mydomain.com/realms/netbird/protocol/openid-connect/token 2024-04-04T20:55:33Z INFO management/cmd/management.go:495: overriding PKCEAuthorizationFlow.AuthorizationEndpoint with a new value: https://auth.mydomain.com/realms/netbird/protocol/openid-connect/auth, previously configured value: https://auth.mydomain.com/realms/netbird/protocol/openid-connect/auth 2024-04-04T20:55:33Z INFO management/server/telemetry/app_metrics.go:177: enabled application metrics and exposing on http://0.0.0.0:8081 2024-04-04T20:55:33Z INFO management/server/store.go:92: using SQLite store engine 2024-04-04T20:55:33Z DEBG management/server/activity/sqlite/sqlite.go:328: check deleted_users table version 2024-04-04T20:55:33Z DEBG management/server/geolocation/store.go:174: took 172.315208ms to setup geoname db 2024-04-04T20:55:33Z INFO management/cmd/management.go:173: geo location service has been initialized from /var/lib/netbird/ 2024-04-04T20:55:33Z INFO management/server/account.go:885: single account mode enabled, accounts number 0 2024-04-04T20:55:33Z DEBG management/server/idp/keycloak.go:125: requesting new jwt token for keycloak idp manager 2024-04-04T20:55:33Z DEBG management/server/ephemeral.go:135: loaded ephemeral peer(s): 0 2024-04-04T20:55:33Z INFO management/cmd/management.go:292: running gRPC backward compatibility server: [::]:33073 2024-04-04T20:55:33Z INFO management/cmd/management.go:324: management server version 0.27.0 2024-04-04T20:55:33Z INFO management/cmd/management.go:325: running HTTP server and gRPC server on the same port: [::]:443 2024-04-04T20:55:33Z INFO management/server/account.go:1072: 1 entries received from IdP management 2024-04-04T20:55:33Z INFO management/server/account.go:1101: warmed up IDP cache with 0 entries

[Takalele]

@glanc try to add the following labels to the management container, this solved the problem for me.

• "traefik.http.routers.netbird-api.tls=true"
• "traefik.http.routers.netbird-management.tls=true"

BR Takalele